Apple’s T2 Chip Has Unpatchable Security Flaw, Claims Researcher

Intel Macs that use Apple’s T2 Security Chip are vulnerable to an exploit that could allow a hacker to circumvent disk encryption, firmware passwords and the whole T2 security verification chain, according to a cybersecurity researcher.


Apple’s custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. In a blog post, however, security researcher Niels Hofmans claims that because the chip is based on an A10 processor it’s vulnerable to the same checkm8 exploit that is used to jailbreak iOS devices.

This vulnerability is reportedly able to hijack the boot process of the T2’s SepOS operating system to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, Hofmans

Read More
Read More

Saints’ situation exposes flaw in NFL’s contact tracing system

Before the season, the NFL boasted of a new contact-tracing technology that would keep players from getting too close together and that would make it easier to work backward to identify others who need to be tested and/or evaluated in the event a player tests positive. During the season, there’s an apparent problem with the so-called “Proximity Recording Device.”

As noted in the immediate aftermath of the news that Saints had learned late last night that fullback Michael Burton had tested positive for COVID-19, the contact-tracing process identified three people who required further testing, etc. The Saints identified on their own four others who were sitting close enough to Burton on the flight to Detroit that the Proximity Recording Device should have recorded their proximity to Burton. It should have, but it didn’t.

It’s important for the league to be willing to take a hard look at its protocols on

Read More
Read More

Grindr flaw allowed hijacking accounts with just an email address

A Grindr vulnerability allowed anyone who knows a user’s email address to easily reset their password and hijack their account. All a bad actor needed to do was type in a user’s email address in the password reset page and then pop open the dev tools to get the reset token. By adding that token to the end of the password reset URL, they won’t even need to access the victim’s inbox — that’s the exact link sent to the user’s email anyway. It loads the page where they can input a new password, giving them a way to ultimately take over the victim’s account.



BERLIN, GERMANY - APRIL 22: The logo of the dating app for gay and bisexual men Grindr is shown on the display of a smartphone on April 22, 2020 in Berlin, Germany. (Photo by Thomas Trutschel/Photothek via Getty Images)


BERLIN, GERMANY – APRIL 22: The logo of the dating app for gay and bisexual men Grindr is shown on the display of a smartphone on April 22, 2020 in Berlin, Germany. (Photo by Thomas Trutschel/Photothek via Getty Images)

A French security researcher named Wassime

Read More
Read More

A security flaw in Grindr let anyone easily hijack user accounts

Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address.

Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. When he didn’t hear back, Bouimadaghene shared details of the vulnerability with security expert Troy Hunt to help.

The vulnerability was fixed a short time later.

Hunt tested and confirmed the vulnerability with help from a test account set up by Scott Helme, and shared his findings with TechCrunch.

Bouimadaghene found the vulnerability in how the app handles account password resets.

To reset a password, Grindr sends the user an email with a clickable link containing an account password reset token. Once clicked, the user can change their password and is allowed back into

Read More
Read More